Menu
▾
▴
Re: [Opensc-devel] Issue with signatures with D-TRUST card 3.0 (STARCOS 3.4) smart card
|
From: Andreas S. <and...@ca...> - 2015-11-09 13:36:23
|
Hi Ferdinand, I can't see any interaction with the card other than using the random number generator (00 84 00 00 APDUs in the log). I'm not sure what Thunderbird is trying to do. On 11/09/2015 09:51 AM, Ferdinand Rau wrote: > Dear Andreas, > > Please find here the requested output of OpenSC: > https://www.dropbox.com/s/9boccale15atwkd/OPENSC_DEBUG.txt.zip?dl=1 > (The file was too large for direct mailing) > > It was recorded with OPENSC_DEBUG=9 during the following actions: > Starting Thunderbird, connecting the reader, inserting the smart card, trying to send an encrypted e-mail, waiting for error message, killing Thunderbird. > > Note that with OPENSC_DEBUG set to 9, Thunderbird freezes before presenting the previously mentioned error message. It may be related to the enormous 500000 lines of DEBUG output OpenSC had to process :-) > I hope the log file is helpful anyway. > > I have had issues with this particular card reader and CTAPI. If there is no other way to make this work, I can still try the sc-hsm-embedded alternative, but currently, I prefer to stay with pcscd > > Best, > Ferdinand > > > > On 11/08/2015 10:21 PM, Andreas Schwier <and...@ca...> wrote: >> Hi Ferdinand, >> >> can you set OPENSC_DEBUG=9 so we can see what is going on ? >> >> As an alternative you could try [1], which has been tested with D-Trust >> 3.0 cards. >> >> Andreas >> >> [1] https://github.com/CardContact/sc-hsm-embedded/wiki/PKCS11 >> >> On 11/08/2015 09:08 PM, Ferdinand Rau wrote: >>> Dear all, >>> >>> I am trying to get PDF signatures to work with LibreOffice 5.0 and my D-TRUST card 3.0, which requires a properly set up Mozilla NSS, which in turn requires OpenSC. I access the card via an USB smart card reader "ReinerSCT cyberJack RFID komfort" on Debian Jessie Linux with OpenSC 0.15.0. >>> The card is listed here, but not explicitly marked as supported: https://github.com/OpenSC/OpenSC/wiki/German-ID-Cards >>> >>> The card is (probably) a Starcos 3.4 type card, therefore, I compiled OpenSC 0.15.0 with the following patch: >>> https://github.com/OpenSC/OpenSC/pull/357 >>> >>> The result is as follows: >>> 1. I can see the certificates on the card in Mozilla NSS after entering my PIN number on the reader's pinpad. >>> >>> 2. I can select a certificate for signing in LibreOffice. Then, I am asked for my PIN both in a dialog on screen and again on the reader's pinpad. The reader's display says "PIN correct" and there is no error message, but no signature is applied to the document. >>> >>> 3. Alternatively, I tried signing an e-mail in Thunderbird. The result is slightly different: When sending the e-mail, I am prompted to enter my PIN on the reader's pinpad. The reader's display says "PIN correct", but the signing fails with the following error message: "Sending message failed. You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroups Account Settings, or the certificate has expired." Needless to say, the certificate has not expired. >>> >>> Please find below the output of serveral common commands. Could someone please confirm that >>> a) the card suitable for this kind of digital signatures in principle >>> b) the card is not supposed to work with OpenSC 0.15.0 without the aforementioned patch >>> c) the card is supposed to work with OpenSC 0.15.0 with the patch and all future versions including the patch >>> >>> If someone can help with the troubleshooting, that would be awesome. Just getting definitve answers to the above a),b),c) would be a real good starting point, though. >>> >>> Best regards, and thanks in advance, >>> Ferdinand >>> >>> >>>> $ opensc-tool -i >>>> OpenSC 0.15.0 [gcc 4.9.2] >>>> Enabled features: zlib readline openssl pcsc(libpcsclite.so.1) >>> >>> ---------------------- >>> >>>> $ opensc-tool --list-readers >>>> # Detected readers (pcsc) >>>> Nr. Card Features Name >>>> 0 Yes PIN pad REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>> >>> ---------------------- >>> >>>> $ opensc-tool --name >>>> Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>>> STARCOS SPK 3.4 >>> >>> ---------------------- >>> >>>> $ opensc-tool --atr >>>> Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>>> 3b:d8:18:ff:81:b1:fe:45:1f:03:80:64:04:1a:b4:03:81:05:61 >>> >>> ---------------------- >>> >>>> $ pkcs11-tool --list-slots >>>> Available slots: >>>> Slot 0 (0xffffffff): Virtual hotplug slot >>>> (empty) >>>> Slot 1 (0x1): REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>>> token label : D-TRUST Card V3.0 standard 2ga ( >>>> token manufacturer : D-TRUST GmbH (C) >>>> token model : PKCS#15 >>>> token flags : rng, login required, PIN initialized, PIN pad present, token initialized >>>> hardware version : 0.0 >>>> firmware version : 0.0 >>>> serial num : >>>> Slot 2 (0x2): REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>>> token label : D-TRUST Card V3.0 standard 2ga ( >>>> token manufacturer : D-TRUST GmbH (C) >>>> token model : PKCS#15 >>>> token flags : rng, login required, PIN initialized, PIN pad present, token initialized >>>> hardware version : 0.0 >>>> firmware version : 0.0 >>>> serial num : >>> >>> ---------------------- >>> >>>> $ pkcs11-tool --list-objects >>>> Using slot 1 with a present token (0x1) >>>> Public Key Object; RSA 2048 bits >>>> label: D-TRUST Authentication Key >>>> ID: 11 >>>> Usage: encrypt, verify, wrap >>>> Certificate Object, type = X.509 cert >>>> label: D-TRUST Authentication Key >>>> ID: 11 >>>> Certificate Object, type = X.509 cert >>>> label: >>>> ID: 2d333730343631303735333036303830313534 >>>> Public Key Object; RSA 2048 bits >>>> label: >>>> ID: 2d333730343631303735333036303830313534 >>>> Usage: encrypt, verify >>>> Certificate Object, type = X.509 cert >>>> label: >>>> ID: 2d32303036363939383139343731343534393238 >>>> Public Key Object; RSA 2048 bits >>>> label: >>>> ID: 2d32303036363939383139343731343534393238 >>>> Usage: encrypt, verify >>> >>> ---------------------- >>> >>>> $ pkcs15-tool -D >>>> Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>>> PKCS#15 Card [D-TRUST Card V3.0 standard 2ga]: >>>> Version : 0 >>>> Serial number : >>>> Manufacturer ID: D-TRUST GmbH (C) >>>> Flags : Login required, EID compliant >>>> >>>> PIN [PIN1] >>>> Object Flags : [0x3], private, modifiable >>>> Auth ID : 03 >>>> ID : 01 >>>> Flags : [0x833], case-sensitive, local, initialized, needs-padding, exchangeRefData >>>> Length : min_len:6, max_len:8, stored_len:8 >>>> Pad char : 0xFF >>>> Reference : 1 (0x01) >>>> Type : iso 9664-1 >>>> Path : a000000063504b43532d3135:: >>>> >>>> PIN [PUK1] >>>> Object Flags : [0x3], private, modifiable >>>> ID : 03 >>>> Flags : [0x873], case-sensitive, local, initialized, needs-padding, unblockingPin, exchangeRefData >>>> Length : min_len:8, max_len:8, stored_len:8 >>>> Pad char : 0xFF >>>> Reference : 1 (0x01) >>>> Type : iso 9664-1 >>>> Path : a000000063504b43532d3135:: >>>> >>>> PIN [PIN2] >>>> Object Flags : [0x3], private, modifiable >>>> Auth ID : 04 >>>> ID : 02 >>>> Flags : [0x833], case-sensitive, local, initialized, needs-padding, exchangeRefData >>>> Length : min_len:6, max_len:8, stored_len:8 >>>> Pad char : 0xFF >>>> Reference : 129 (0x81) >>>> Type : iso 9664-1 >>>> Path : 3f000604 >>>> >>>> PIN [PUK2] >>>> Object Flags : [0x3], private, modifiable >>>> ID : 04 >>>> Flags : [0x873], case-sensitive, local, initialized, needs-padding, unblockingPin, exchangeRefData >>>> Length : min_len:8, max_len:8, stored_len:8 >>>> Pad char : 0xFF >>>> Reference : 129 (0x81) >>>> Type : iso 9664-1 >>>> Path : 3f000604 >>>> >>>> Private RSA Key [D-TRUST Authentication Key] >>>> Object Flags : [0x1], private >>>> Usage : [0x2E], decrypt, sign, signRecover, unwrap >>>> Access Flags : [0x0] >>>> ModLength : 2048 >>>> Key ref : 1 (0x1) >>>> Native : yes >>>> Path : a000000063504b43532d3135::3f000fff0f01 >>>> Auth ID : 01 >>>> ID : 11 >>>> MD:guid : {a8abd012-eb59-b862-bf9b-c1ea443d2f35} >>>> :cmap flags : 0x0 >>>> :sign : 0 >>>> :key-exchange: 0 >>>> >>>> Private RSA Key [SigG Signature Key] >>>> Object Flags : [0x1], private >>>> Usage : [0x200], nonRepudiation >>>> Access Flags : [0x0] >>>> ModLength : 2048 >>>> Key ref : 4 (0x4) >>>> Native : yes >>>> Path : a000000063504b43532d3135::3f0006040f01 >>>> Auth ID : 02 >>>> ID : 12 >>>> MD:guid : {c4f87a62-90ae-e1ac-fc1f-26083974ce94} >>>> :cmap flags : 0x0 >>>> :sign : 0 >>>> :key-exchange: 0 >>>> >>>> Public RSA Key [D-TRUST Authentication Key] >>>> Object Flags : [0x2], modifiable >>>> Usage : [0xD1], encrypt, wrap, verify, verifyRecover >>>> Access Flags : [0x0] >>>> ModLength : 2048 >>>> Key ref : 1 (0x1) >>>> Native : yes >>>> Path : a000000063504b43532d3135::3f000fff0e01 >>>> Auth ID : 01 >>>> ID : 11 >>>> >>>> Public RSA Key [SigG Signature Key] >>>> Object Flags : [0x2], modifiable >>>> Usage : [0x204], sign, nonRepudiation >>>> Access Flags : [0x0] >>>> ModLength : 2048 >>>> Key ref : 4 (0x4) >>>> Native : yes >>>> Path : a000000063504b43532d3135::3f0006040e01 >>>> Auth ID : 02 >>>> ID : 12 >>>> >>>> X.509 Certificate [D-TRUST Authentication Key] >>>> Object Flags : [0x2], modifiable >>>> Authority : no >>>> Path : a000000063504b43532d3135::3f001501c100 >>>> ID : 11 >>>> Encoded serial : 02 03 168A81 >>>> X.509 Certificate [SigG Signature Key] >>>> Object Flags : [0x2], modifiable >>>> Authority : no >>>> Path : a000000063504b43532d3135::3f001501c103 >>>> ID : 12 >>>> Encoded serial : 02 03 168A82 >>>> X.509 Certificate [] >>>> Object Flags : [0x0] >>>> Authority : no >>>> Path : a000000063504b43532d3135::3f001501c102 >>>> ID : 2d32303036363939383139343731343534393238 >>>> Encoded serial : 02 03 030E96 >>>> X.509 Certificate [] >>>> Object Flags : [0x0] >>>> Authority : no >>>> Path : a000000063504b43532d3135::3f001501c101 >>>> ID : 2d333730343631303735333036303830313534 >>>> Encoded serial : 02 03 097D43 >>>> X.509 Certificate [] >>>> Object Flags : [0x0] >>>> Authority : no >>>> Path : a000000063504b43532d3135::3f001501c105 >>>> ID : 37353738323838313038333736373637303437 >>>> Encoded serial : 02 03 159923 >>>> X.509 Certificate [] >>>> Object Flags : [0x0] >>>> Authority : no >>>> Path : a000000063504b43532d3135::3f001501c104 >>>> ID : 38323832353936323735353833303736353131 >>>> Encoded serial : 02 03 159924 >>> >>> ---------------------- >>> >>>> $ pcsc_scan >>>> PC/SC device scanner >>>> V 1.4.23 (c) 2001-2011, Ludovic Rousseau <lud...@fr...> >>>> Compiled with PC/SC lite version: 1.8.11 >>>> Using reader plug'n play mechanism >>>> Scanning present readers... >>>> 0: REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>>> >>>> Sat Nov 7 01:39:47 2015 >>>> Reader 0: REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>>> Card state: Card inserted, >>>> ATR: 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61 >>>> >>>> ATR: 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61 >>>> + TS = 3B --> Direct Convention >>>> + T0 = D8, Y(1): 1101, K: 8 (historical bytes) >>>> TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU >>>> 129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s >>>> TC(1) = FF --> Extra guard time: 255 (special value) >>>> TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 >>>> ----- >>>> TD(2) = B1 --> Y(i+1) = 1011, Protocol T = 1 >>>> ----- >>>> TA(3) = FE --> IFSC: 254 >>>> TB(3) = 45 --> Block Waiting Integer: 4 - Character Waiting Integer: 5 >>>> TD(3) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following >>>> ----- >>>> TA(4) = 03 --> Clock stop: not supported - Class accepted by the card: (3G) A 5V B 3V >>>> + Historical bytes: 80 64 04 1A B4 03 81 05 >>>> Category indicator byte: 80 (compact TLV data object) >>>> Tag: 6, len: 4 (pre-issuing data) >>>> Data: 04 1A B4 03 >>>> Tag: 8, len: 1 (status indicator) >>>> LCS (life card cycle): 05 >>>> + TCK = 61 (correct checksum) >>>> >>>> Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): >>>> 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61 >>>> D-Trust multicard advanced 3.1 >>>> German public health insurance card ("Gesundheitskarte"), issuer SBK "Siemens Betriebskrankenkasse" >>> >>> Note: This is not fully correct. This type of card is used for the German health insurance, but also for other uses, such as my QES signautre card. The name is incorrectly hardcoded in the list that ships with pcsc_scan. >>> >>> ------------------------------------------------------------------------------ >>> _______________________________________________ >>> Opensc-devel mailing list >>> Ope...@li... >>> https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > > ------------------------------------------------------------------------------ > Presto, an open source distributed SQL query engine for big data, initially > developed by Facebook, enables you to easily query your data on Hadoop in a > more interactive manner. Teradata is also now providing full enterprise > support for Presto. Download a free open source copy now. > http://pubads.g.doubleclick.net/gampad/clk?id=250295911&iu=/4140 > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org http://www.smartcard-hsm.com |
